📄 Description (English)
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `remindMe.json.php` endpoint passes `$_REQUEST['live_schedule_id']` through multiple functions without sanitization until it reaches `Scheduler_commands::getAllActiveOrToRepeat()`, which directly concatenates it into a SQL `LIKE` clause. Although intermediate functions (`new Live_schedule()`, `getUsers_idOrCompany()`) apply `intval()` internally, they do so on local copies within `ObjectYPT::getFromDb()`, leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents. Commit 75d45780728294ededa1e3f842f95295d3e7d144 contains a patch.
🤖 AI Executive Summary
CVE-2026-33651 is a time-based blind SQL injection vulnerability in WWBN AVideo versions up to 26.0 affecting the remindMe.json.php endpoint. Authenticated users can exploit improper input sanitization in the live_schedule_id parameter to extract arbitrary database contents. With a CVSS score of 8.1 and publicly available exploits, this poses a significant risk to organizations deploying AVideo for internal video streaming and content management.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 11:50
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WWBN AVideo for internal video platforms—particularly in government agencies (NCA, CITC), banking sector (SAMA-regulated institutions), healthcare facilities, and large enterprises—face significant risk. The vulnerability allows authenticated insiders or compromised accounts to exfiltrate sensitive data including user credentials, financial records, and confidential communications. Government entities using AVideo for secure internal communications are particularly vulnerable to data breach and compliance violations under NCA ECC 2024 and SAMA CSF frameworks.
🏢 Affected Saudi Sectors
Government (NCA, CITC, Ministry entities)
Banking and Financial Services (SAMA-regulated)
Healthcare
Energy (ARAMCO, utilities)
Telecommunications (STC, Mobily)
Education
Large Enterprises with internal video platforms
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all WWBN AVideo instances in your environment running versions ≤26.0
2. Restrict access to remindMe.json.php endpoint via WAF rules or network segmentation
3. Review authentication logs for suspicious activity on remindMe.json.php with unusual live_schedule_id parameters
4. Monitor for time-based SQL injection patterns (requests with delays, SLEEP(), BENCHMARK() functions)
Patching Guidance:
1. Upgrade WWBN AVideo to version >26.0 immediately (apply commit 75d45780728294ededa1e3f842f95295d3e7d144 or later)
2. If immediate patching is not possible, apply input validation: ensure live_schedule_id is strictly integer-validated before any database operations
3. Test patch in staging environment before production deployment
Compensating Controls:
1. Implement database query logging and anomaly detection for LIKE clause injections
2. Apply principle of least privilege to database user accounts running AVideo
3. Enable SQL query timeout limits to mitigate blind SQL injection exploitation
4. Deploy WAF rules to block requests containing SQL injection payloads (SLEEP, BENCHMARK, WAITFOR)
5. Implement rate limiting on remindMe.json.php endpoint
Detection Rules:
1. Alert on remindMe.json.php requests with non-numeric live_schedule_id values
2. Monitor for requests with live_schedule_id containing SQL keywords (UNION, SELECT, SLEEP)
3. Track database query execution times exceeding normal thresholds
4. Log all authenticated access to remindMe.json.php with parameter values
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات WWBN AVideo في بيئتك التي تعمل بالإصدارات ≤26.0
2. قيد الوصول إلى نقطة نهاية remindMe.json.php عبر قواعد WAF أو تقسيم الشبكة
3. راجع سجلات المصادقة للنشاط المريب على remindMe.json.php مع معاملات live_schedule_id غير العادية
4. راقب أنماط حقن SQL القائمة على التوقيت (الطلبات ذات التأخيرات، وظائف SLEEP و BENCHMARK)
إرشادات التصحيح:
1. قم بترقية WWBN AVideo إلى الإصدار >26.0 فوراً (طبق الالتزام 75d45780728294ededa1e3f842f95295d3e7d144 أو أحدث)
2. إذا لم يكن التصحيح الفوري ممكناً، طبق التحقق من المدخلات: تأكد من أن live_schedule_id يتم التحقق منه بدقة كعدد صحيح قبل أي عمليات قاعدة بيانات
3. اختبر التصحيح في بيئة التجريب قبل نشر الإنتاج
الضوابط التعويضية:
1. تنفيذ تسجيل استعلامات قاعدة البيانات والكشف عن الشذوذ لحقن LIKE
2. تطبيق مبدأ أقل امتياز على حسابات مستخدمي قاعدة البيانات التي تشغل AVideo
3. تفعيل حدود انتظار استعلام SQL للتخفيف من استغلال حقن SQL العمياء
4. نشر قواعد WAF لحظر الطلبات التي تحتوي على حمولات حقن SQL (SLEEP و BENCHMARK و WAITFOR)
5. تنفيذ تحديد معدل على نقطة نهاية remindMe.json.php
قواعد الكشف:
1. تنبيه على طلبات remindMe.json.php مع قيم live_schedule_id غير رقمية
2. مراقبة الطلبات مع live_schedule_id تحتوي على كلمات رئيسية SQL (UNION و SELECT و SLEEP)
3. تتبع أوقات تنفيذ استعلامات قاعدة البيانات التي تتجاوز الحدود الطبيعية
4. تسجيل جميع الوصول المصرح به إلى remindMe.json.php مع قيم المعاملات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.14.2.1 - Information security requirements analysis and specification
A.14.2.5 - Access control
A.13.1.1 - Network security perimeter
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.BE-5 - Organizational resilience with respect to cybersecurity risk
PR.AC-1 - Identities and credentials are issued, managed, verified, revoked and audited
PR.DS-2 - Data-in-transit is protected
DE.CM-1 - The network is monitored to detect potential cybersecurity events
🟡 ISO 27001:2022
A.6.1.1 - Screening
A.8.2.1 - User registration and de-registration
A.8.2.3 - Management of privileged access rights
A.12.2.1 - Restrictions on access to information and application system functions
A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration standards
Requirement 6.2 - Security patches and updates
Requirement 6.5.1 - Injection flaws
📦 Affected Products / CPE 1 entries
wwbn:avideo